Exclude KBID windows update automatic within month

Question

Hello Team,

My Azure VM has missing windows updates which are published 1 month ago by Microsoft. These updates are not shown inside the VM

(Check for Updates---> Your machine is uptodate) .

I applied the below monitor rule on the Azure subscription. It will send an alert for missing updates on a daily basis. But if I checked inside the VM the updates are not shown. Till now 22 days completed.

Update
| where TimeGenerated >= ago(10d) and KBID !in ("2267602","5016394")
| summarize arg_max(TimeGenerated, UpdateState)by Computer, KBID, PublishedDate
| where UpdateState == "Needed"

Is it possible to automatically exclude KBIDs that are neither shown nor installed within a month?

I don't want to exclude manually and update the above rule every time.

Do I need to build a different rule specifically for that? OR alter the current Windows Update rule?

For example, KBID "5017593" was published on 27th September 2022 and still won't roll out to my Azure Virtual machines.

Answer 1

Hi,
Still there is some unclear details. To be precise the above updates are for SQL Server so those are not considered updates for Windows Server/Client but Windows Update has option to install updates for other Microsoft products which can be enabled. Most likely this option is not enabled on your Windows Server/Client. Below you can see how that option looks in Windows 11. If you configure update deployment schedule you can configure to exclude specific updates so they are not installed but also you can select specific Update classifications. Those are the only two options in update deployment schedule where you can exclude something. Of course you have to be careful with the Update classification to not exclude updates that you want to install.
If the above query is used for Log Alert and you want to change it in a way that those updates are excluded there are two ways.

Option 1 - As those updates are optional you can exclude them with property that designates if the update is optional or not:

Update  
| where Optional == false and UpdateState == "Needed"   
| summarize arg_max(TimeGenerated, UpdateState)by Computer, KBID, PublishedDate  

Option 2 - Exclude updates that their publish date is after certain period. In the example below if the Publish date is beyond 10 days those updates will not be in the results of the query:

Update  
| where UpdateState == "Needed" and  PublishedDate > ago(10d)   
| summarize arg_max(TimeGenerated, UpdateState)by Computer, KBID, PublishedDate  

Please note that I have made two changes to your query to improve it. If the query is used in alert you do not need to filter on TimeGenerated period. when the query is used in Log Alert the results are automatically scoped to the time window of the alert rule defined so it makes that filter useless. The second change is that I have moved the filter on UpdateState before the aggregation. It is always better to filter the results before aggregation otherwise you are aggregating a lot more results which takes more time to execute the query.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.